Updated: 2025-08-20 02:02:29.591007
Description:
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | NONE | 0.0 |
| CVSS Version 3.x | MEDIUM | 6.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | golang | 1.19.13 | 6.5 | MEDIUM | Released | CLSA-2025:1748626881 | 2025-05-31 04:12:04 | |
| AlmaLinux 9.2 ESU | osbuild-composer | 76 | 6.5 | MEDIUM | Ignored | 2025-10-28 00:26:09 | ||
| AlmaLinux 9.2 ESU | git-lfs | 3.2.0 | 6.5 | MEDIUM | Ignored | 2025-10-28 00:26:49 | ||
| AlmaLinux 9.2 ESU | grafana | 9.0.9 | 6.5 | MEDIUM | Not Vulnerable | 2025-08-28 01:05:50 | ||
| AlmaLinux 9.2 ESU | grafana-pcp | 5.1.1 | 6.5 | MEDIUM | Ignored | 2025-10-28 00:26:44 |